Overview

overview

10

Static

static

3

e2d7acd67f...18.exe

windows7-x64

10

e2d7acd67f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 15:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2d7acd67f9ee3d5674971cf60acd7d7_JaffaCakes118.exe

  • Size

    275KB

  • MD5

    e2d7acd67f9ee3d5674971cf60acd7d7

  • SHA1

    709e59da1e0de8d078173458de1c5b543701fbd8

  • SHA256

    eb4bf8c7a95b40686ea4b7e70af3e6b4668b06f8ef112808a040caa82c2b2b63

  • SHA512

    a7844bbea6dcb1d37bf422cdebb97d814b7e48ff85a445498c0bfedd15c5b54de55c6adde74f8b70507056633fd7187a2ed580222df16bdbbd3f1703437a4ef4

  • SSDEEP

    6144:/DRYFav6UKLqmHP1cuuDmIsB0p3xzMw4H4GZ28pgGAz0FgnXN:ch2lmE3pxVkgGzC

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2d7acd67f9ee3d5674971cf60acd7d7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2d7acd67f9ee3d5674971cf60acd7d7_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\e2d7acd67f9ee3d5674971cf60acd7d7_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e2d7acd67f9ee3d5674971cf60acd7d7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\5FFA7\49232.exe%C:\Users\Admin\AppData\Roaming\5FFA7
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2936
    • C:\Users\Admin\AppData\Local\Temp\e2d7acd67f9ee3d5674971cf60acd7d7_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e2d7acd67f9ee3d5674971cf60acd7d7_JaffaCakes118.exe startC:\Program Files (x86)\A7754\lvvm.exe%C:\Program Files (x86)\A7754
      2⤵
      • System Location Discovery: System Language Discovery
      PID:752
    • C:\Program Files (x86)\LP\3275\49DC.tmp
      "C:\Program Files (x86)\LP\3275\49DC.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2184
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2228
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\5FFA7\7754.FFA
    Filesize

    996B

    MD5

    c790645bc36e6f5cd401ea7c4be5f805

    SHA1

    332c03f8b352d7d587e1ad296cf150af127a3999

    SHA256

    0b78d03972f9446cf7a03c01a59793cb644a6038563e061615222397e7075f90

    SHA512

    5793e2b0c0f97d84222abb802c0be668835f634cab3745290253d0d962e45275b57b47dd3b65231a72adaa63f09f83dc976b7b8b216dc22e0b32d9934be9e215

    Download Submit

  • C:\Users\Admin\AppData\Roaming\5FFA7\7754.FFA
    Filesize

    600B

    MD5

    44711d407baaa4437639ad4d0aa9f96f

    SHA1

    31f11f4d1cb2ba39dfac88e4b53b9103df976c2c

    SHA256

    6ea6e75f4d477dac3c62d721d9338cd7a45407fd7736c2c78a724b03651c8d08

    SHA512

    1342e9f936a00aee8a595e8c120d07c19eb6c26a28e647f7f7f1e71c6b146dd21841731530ec1bb7e67bc70c31faa1440def92611ae02a72fda7c3e266644f3e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\5FFA7\7754.FFA
    Filesize

    1KB

    MD5

    8a454a3d609c6b831ea5c3f412b68e20

    SHA1

    b64aca02f1b000178cbe116fd450a4dc9265b322

    SHA256

    4726654ed542bb79fe90f80dc17252fea1dc66a6296e42579089ece3fa6c9aed

    SHA512

    6912140dc80707844e6bf5f0b5d2cbe0237b527c07584027c3c4bddca909689ebba27fde305515ac7a5ee28061d735b5689cc1da1a37bc6b2695603736a30de9

    Download Submit

  • \Program Files (x86)\LP\3275\49DC.tmp
    Filesize

    96KB

    MD5

    961cd443acc6e85b8270338e07219d7c

    SHA1

    583b803c1b7c9a0e38ffc9e92a72329efe27f0d5

    SHA256

    425a4ff41ea2822321edf7ba05ff7677cad1056749c4b60e52c42f399e10e0b8

    SHA512

    6d80acadd9791cc908e357a70a593dddfe08da2a975627e15a518d278175a13808af0805ed27fdffa6e937882bb51a75105a77bfdd7982045f6c18cbb20bc7ba

    Download Submit

  • memory/752-117-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/752-116-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2184-289-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2348-114-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2348-0-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2348-15-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2348-13-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2348-3-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2348-287-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2348-2-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2348-293-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2936-17-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2936-16-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download